Industrial Cyber Security: what if you get a 10 million fine?

How to request support

ATTENTION: the number to call is 02 00.70.31.47

The customer requesting support must specify:

parent company
name of the requesting person – name of the person to be contacted again, if different
correct telephone number or e-mail address to reply to
ASSISTANCE CODE of 6 numbers
Product you need support for:
- version number
- security key code (if provided)
operating system
reason for the call with details of the problem

Training

The purpose of ServiTecno's training courses is to allow customers to reach an adequate level of preparation in order to make the best use of the distributed products.

The course program follows a standard lineup of topics but, always on request, it is possible to customize them according to customer requests.

When they give you a $10M fine, a 250-page "report", 127 NERC-CIP violations, because you weren't careful enough about OT Cyber Security...

We can no longer say "I didn't know anything about it" or "they didn't warn me": now we talk about Cyber Security in an industrial environment at any fair and conference.

Best Practices and Directives (and regulations) are available to everyone, and everyone must comply: if you are looking for an expert to collaborate with for the safety of your plants or processes, ask ServiTecno!

But let's go back to the topic of the article: I report the reasons for the sanction, the complete 250-page text and any further information at the end of the article.

Folks, if you work for an entity subject to NERC CIP or provide consulting/support services for an entity that is subject to NERC CIP, you must read up on the latest NERC/FERC enforcement action that resulted in a $10M settlement agreement.

The settlement with the “unidentified entity” also includes “other remedies and actions to mitigate and facilitate future compliance” so the cost of violations is even higher than the actual penalty.

The findings included 127 violations of the NERC CIP standards with findings that included violations of 10 out of the 11 standards in effect at the time – only CIP-008 was not included.

The determination was that the collective risk of the 127 violations posed “a serious risk to the security and reliability of the Bulk Power System (BPS)” made worse by the long duration of some violations. In some cases the identified standards were version 3 so that means the violation dated back to before July 2015.

The key contributing causes were identified as:

Lack of management engagement, support, and accountability relating to the CIP compliance programme;
Disassociation of compliance and security that resulted in a deficient program and program documents, lack of implementation, and ineffective oversight and training;
Organizational silos in the form of a lack of communication between management levels with in the Companies, which contributed to a lack of awareness of the state of security and compliance;
and Organizational silos across business units that resulted in confusion regarding expectations and ownership of tasks, and poor asset and configuration management practices.

Sound familiar? I wouldn't be surprised… none of these are unique to this unnamed organization.

NERC CIP is hard… it's really hard! But without adequate managerial support, it's impossible.

Management took in on the chin in this report – it should be mandatory reading for every CIP Senior Manager and executive leader at Registered Entities. We can and must do better than this to protect our most critical of critical infrastructures. The full report is attached and can also be obtained here.

Best Practices and Directives (and regulations) are available to everyone, and everyone must comply: if you are looking for an expert to collaborate with for the safety of your plants or processes, ask ServiTecno!

LINK TO THE COMPLETE DOCUMENT (250 PAGES)

https://www.nerc.com/pa/comp/CE/Enforcement%20Actions%20DL/Public_FinalFiled_NOP_NOC-2605_Part%201.pdf

https://ics-community.sans.org/t/m2w5x3/10000000-settlement-agreement-for-nerc-cip-violations

https://ics-community.sans.org/media/x16dk0/download/public_finalfiled_nop_noc_2605_part_1.pdf

IT/OT convergence

Control Room and HMI